U.S. Department of the Interior Office of Inspector General AUDIT REPORT



Similar documents
U.S. Department of the Interior Office of Inspector General AUDIT REPORT

U.S. Department of the Interior Office of Inspector General AUDIT REPORT

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Audit of Case Activity Tracking System Security Report No. OIG-AMR

Office of Inspector General

Department of Homeland Security

Memorandum. ACTION: Report on Computer Security Controls of Financial Management System, FTA FE May 23, 2000.

How To Check If Nasa Can Protect Itself From Hackers

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

VA Office of Inspector General

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

HIPAA Information Security Overview

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior

March 17, 2015 OIG-15-43

Audit Report. Management and Security of Office of Budget and Program Analysis Information Technology Resources. U.S. Department of Agriculture

STATE OF NORTH CAROLINA

AUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System

MICHIGAN AUDIT REPORT PERFORMANCE AUDIT OF THE QUALIFIED VOTER FILE AND DIGITAL DRIVER'S LICENSE SYSTEMS

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL 400 MARYLAND AVENUE, S.W. WASHINGTON, DC

Information Security Series: Security Practices. Integrated Contract Management System

Final Audit Report. Report No. 4A-CI-OO

Office of the State Auditor. Audit Report

Information Resources Security Guidelines

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE

SECTION 15 INFORMATION TECHNOLOGY

EVALUATION REPORT. The Department of Energy's Unclassified Cybersecurity Program 2014

U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS. Final Audit Report

Performance Audit E-Service Systems Security

AUDIT REPORT. The Energy Information Administration s Information Technology Program

Department of Homeland Security

OIG. Improvements Are Needed for Information Technology Controls at the Las Vegas Finance Center. Audit Report OFFICE OF INSPECTOR GENERAL

Memorandum. Audit Report No.: OAS-L REPLY TO ATTN OF: Chief Financial Officer, CF-1 TO: INTRODUCTION AND OBJECTIVE

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

Final Audit Report -- CAUTION --

Department of Transportation Financial Management Information System Centralized Operations

INSPECTION CLOUD COMPUTING SECURITY DOCUMENTATION IN THE CYBER SECURITY ASSESSMENT MANAGEMENT SOLUTION

April promoting efficient & effective local government

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

VA Office of Inspector General

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Oregon Employment Department: Computer Programs for Unemployment Tax Returns and Claims Need Attention

U.S. Department of the Interior Office of Inspector General SPECIAL REPORT

May 2, 2016 OIG-16-69

Office of Inspector General

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

How To Audit The Mint'S Information Technology

Legislative Language

Final Audit Report -- CAUTION --

Audit Report. Management of Naval Reactors' Cyber Security Program

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

Computer Security Roles and Responsibilities and Training Should Remain Part of the Computer Security Material Weakness.

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009

Department of Transportation Office of Transportation Technology Services

Office of Inspector General

Report No. D May 14, Selected Controls for Information Assurance at the Defense Threat Reduction Agency

DoD Methodologies to Identify Improper Payments in the Military Health Benefits and Commercial Pay Programs Need Improvement

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

VA Office of Inspector General

INFORMATION TECHNOLOGY SECURITY STANDARDS

Office of the Inspector General United States Office of Personnel Management. Statement of Michael R. Esser Assistant Inspector General for Audits

Office of Inspector General SECURITY OF SCIENCE AND ECOSYSTEMS SUPPORT DIVISION (SESD) LOCAL AREA NETWORK (LAN)

Report Number: AP-FS ADP and Technical Support Division Date of Issue: June 6, 1997 Washington, D.C

Office of the Inspector General Department of Defense

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

OCC 98-3 OCC BULLETIN

Department of Health and Human Services OFFICE OF INSPECTOR GENERAL

HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE

NATIONAL OCEANIC AND ATMOSPHERIC ADMINISTRATION. Opportunities to Strengthen Internal Controls Over Improper Payments PUBLIC RELEASE

a GAO GAO INFORMATION SECURITY Information System Controls at the Federal Deposit Insurance Corporation

EPA Needs to Improve Its. Information Technology. Audit Follow-Up Processes

PBGC Information Security Policy

Audit of Controls Over Contract Payments FINAL AUDIT REPORT

Audit of the Department of State Information Security Program

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Office of Inspector General

July 18, Paul A. Wohlleben, Director Office of Information Resources Management (3401)

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Department of Information Technology Database Administration Management Audit Final Report

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Department of Veterans Affairs

Department of Homeland Security Office of Inspector General

OAIG-AUD (ATTN: AFTS Audit Suggestions) Inspector General of the Department of Defense 400 Army Navy Drive (Room 801) Arlington, VA

CTR System Report FISMA

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Audit of Policy on Internal Control Information Technology General Controls (ITGCs) Audit

Department of Education audit - A Case Study

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

EPA Needs to Strengthen Financial Database Security Oversight and Monitor Compliance

New York City Budget -audit

for Kimberly F. Benoit Deputy Assistant Inspector General for Information Technology and Data Analysis

Circular to All Licensed Corporations on Information Technology Management

The Certification and Accreditation of Computer Systems Should Remain in the Computer Security Material Weakness. August 2004

Parcel Readiness Product Tracking and Reporting System Controls

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

POSTAL REGULATORY COMMISSION

Transcription:

U.S. Department of the Interior Office of Inspector General AUDIT REPORT GENERAL CONTROL ENVIRONMENT OF THE FEDERAL FINANCIAL SYSTEM AT THE RESTON GENERAL PURPOSE COMPUTER CENTER, U.S. GEOLOGICAL SURVEY REPORT NO. 97-I-98 OCTOBER 1996

United States Department of the Interior OFFICE OF INSPECTOR GENERAL Washington, D.C. 20240 MEMORANDUM TO: FROM: SUBJECT SUMMARY: Final Audit Report for Your Information - General Control Environment of the Federal Financial System at the Reston General Purpose Computer Center, U.S. Geological Survey (No. 97-I-98) Attached for your information is a copy of the subject final audit report. This report presents a summary of the draft audit report Stronger Controls Needed Over The Data Processing Environment At The U.S. Geological Survey, Reston General Purpose Computer Center, issued by the Office of Inspector General, U.S. House of Representatives, on September 3, 1996. We were informed by the House s Office of Inspector General that the information presented in this draft report is the same information that will be presented in their final audit report. The objective of the audit was to evaluate the effectiveness of the general control environment surrounding the Federal Financial System and the processing of financial data for the House. The House Office of Inspector General s audit report identified 42 weaknesses and made 70 recommendations for corrective actions to the U.S. Geological Survey and one recommendation for corrective action to both the Geological Survey and the House s Chief Administrative Officer. The report identified weaknesses in data center management and operations; mainframe computer system physical and logical security; telecommunications security; protection of the local area network from unauthorized access and use; and contingency planning, including backup procedures for preventing data loss and for the recovery of data in case of a disaster. The Geological Survey and House management worked collaboratively with our office, the House s Office of Inspector General, and the contracted auditing team that performed the review to resolve key issues. As a result of this collaborative effort, the Geological Survey was able to take immediate corrective actions to resolve the deficiencies that could have adversely impacted the integrity and security of the processing of the House s financial data on the Federal Financial System. The Geological Survey concurred with or proposed alternative recommendations for each of the report s recommendations. Based on the response, we considered 13 recommendations implemented and 58 recommendations resolved but not implemented.

If you have any questions concerning this matter, please contact meat (202) 208-5745 or Mr. Robert J. Williams, Acting Assistant Inspector General for Audits, at (202) 208-4252. Attachment

United States Department of the Interior OFFICE OF THE INSPECTOR GENERAL Washington, D.C. 20240 H-IN-GSV-001-96 Memorandum AUDIT REPORT To: From: Subject: Assistant Secretary - Water and Science Acting Assistant Inspector General for Audits Audit Report on the General Control Environment of the Federal Financial System at the Reston General Purpose Computer Center, U.S. Geological Survey (No. 97-I-98) INTRODUCTION This report presents a synopsis of the draft audit report Stronger Controls Needed Over The Data Processing Environment At The U.S. Geological Survey, Reston General Purpose Computer Center, issued by the Office of Inspector General, U.S. House of Representatives, on September 3, 1996. The audit, which was coordinated through our office, was conducted by Price Waterhouse, LLP, under contract to the House s Office of Inspector General. We are issuing this report because we are the cognizant audit agency for the U.S. Geological Survey and because we want to ensure that the recommendations contained in this report are included in our audit recommendation tracking system. The objective of the audit was to evaluate the effectiveness of the general control environment surrounding the Federal Financial System and the processing of financial data for the House. BACKGROUND The Washington Administrative Service Center was established in 1987, within the Geological Survey, to direct the Department of the Interior s efforts to standardize administrative systems. As part of this effort, the Geological Survey purchased the Federal Financial System from American Management Systems, Inc., in 1987. The Service Center leases computer space from the Geological Survey s General Purpose Computer Center to operate the Federal Financial System on the Computer Center s mainframe computer. The system license purchased by the Geological Survey allows it to provide services to Federal agencies outside of the Department of the Interior. As such, the Geological Survey is able to provide the Federal Financial System as an interim financial management system to the U.S. House of Representatives. On August 3, 1995, the Committee on House Oversight, U.S. House of Representatives,

passed a resolution mandating the implementation of a new financial management system for House financial operations. The resolution required that the Chief Administrative Officer, in consultation with the House s Office of Inspector General, implement the system. In September 1995, the Chief Administrative Officer entered into an agreement with the Geological Survey to provide, on an interim basis, the Geological Survey s Federal Financial System for the processing of the House s financial data. The House s Office of Inspector General determined that a review of the general control environment of the Federal Financial System was necessary to ensure the integrity and security of the financial information to be processed on the system. As a result, a contract was awarded to Price Waterhouse, LLP, in March 1996 to perform a review of the policies and general controls of operations of the Geological Survey s Federal Financial System at the General Purpose Computer Center in Reston, Virginia. SCOPE OF AUDIT Direction for and oversight of the contracted audit were provided by the House s Office of Inspector General, which coordinated with our office throughout the review. The contracted audit was made in accordance with the Government Auditing Standards, issued by the Comptroller General of the United States. Accordingly, the audit included such tests of records and other auditing procedures that were considered necessary under the circumstances. The audit was performed from March through May 1996 at the General Purpose Computer Center. The contracted audit included a review of the integrity, confidentiality, and availability of information resources for processing the House s financial data. The evaluation focused on general controls, including the following: user authentication; prevention of the system and data from unauthorized access, modification, and destruction; contingency plans in case of system destruction; and the backup and recoverability of data, systems, and telecommunications in case operations are disrupted. To perform this review, the contractor performed the following tasks: - Documentation was obtained from and interviews were conducted with officials responsible for system operations. - Control techniques consistent with data security standards based on current industry standards and Government guidelines were identified. - An understanding of the computing and internal controls related to system data, including data integrity, security, and availability, was obtained. - Key management controls and internal controls were assessed and tested. 2

- Third-party audit and security software tools were used to perform automated testing techniques. In addition, computer and information systems audit guidelines were used in evaluating the effectiveness of the Computer Center s management and operations. As part of the review, the internal controls related to the integrity, confidentiality, and availability of the mainframe computer were evaluated. The contracted audit disclosed internal control weaknesses related to the operating system, system access, security program and functions, network controls, and business continuity planning. These weaknesses are discussed in the Results of Audit section of this report. The recommendations, if implemented, should improve controls in these areas. PRIOR AUDIT COVERAGE The General Accounting Office had not issued any reports relating to operations of the Computer Center or its Federal Financial System. Our office, however, has issued one report during the past 5 years relating to the Geological Survey s Federal Financial System. The September 1992 report Implementation of the Federal Financial System, U.S. Geological Survey (No. 92-1-14 18) stated that the Federal Financial System had not been implemented effectively and did not meet the requirements contained in the Joint Financial Management Improvements Program s Core Financial System Requirements. These conditions occurred, according to the report, because the Geological Survey did not comply with Office of Management and Budget and Departmental guidelines for establishing and maintaining an integrated financial management system. The report also identified inadequate physical security at the Reston Automated Data Processing Facility. The Geological Survey generally agreed with our 19 recommendations and initiated actions to correct the deficiencies identified. RESULTS OF AUDIT The House Office of Inspector General s audit report identified 42 weaknesses and made 70 recommendations for corrective actions to the Geological Survey and one recommendation for corrective action to both the Geological Survey and the House s Chief Administrative Officer. The report stated that the Geological Survey s General Purpose Computer Center had operational internal controls that were inadequate. Specifically, weaknesses existed in data center management and operations; mainframe computer system physical and logical security; telecommunications security; protection of the local area network from unauthorized access and use; and contingency planning, including backup procedures for preventing data loss and for the recovery of data in case of a disaster. The Office of Management and Budget and the National Institutes of Standards and Technology have 3

issued numerous directives, policies, and guidelines requesting that Federal agencies establish and implement computer security and controls to improve the safeguarding of sensitive information in Federal agencies computer systems. However, the Computer Center did not fully comply with these criteria because it did not: establish certain formal data center policies, standards, and procedures; segregate duties adequately; comply with vendor guidelines for system operations; and develop a formal and comprehensive data security program. Consequently, the Computer Center was susceptible to: unauthorized system access and data modification; errors and omissions during system start up and processing; and unauthorized facility or system access, which could lead to theft or destruction of hardware, software, and information. The control deficiencies noted in each of the functional aspects are summarized in the following paragraphs. Computer Center Management and Operations The House s September 3 report identified 8 weaknesses and made 17 recommendations regarding the Computer Center s management and operations. The report stated that the Computer Center had weaknesses in its management and operations that posed significant risks to computer system availability, confidentiality, and reliability. These problems included the following: - Inconsistent and inadequate security background checks and clearances for Computer Center government and contractor employees. - Poor controls over access to key support systems, such as the Internet, DOINET, and local area networks. - Inadequate and inconsistently used software program change control procedures. - Inadequate problem-resolution procedures. - Lack of control over the labeling and distribution of sensitive computer-generated printouts. Mainframe Computer System Physical and Logical Security The House s September 3 report identified 20 weaknesses and made 32 recommendations regarding the Computer Center s physical and logical security of its mainframe systems. The report stated that the Computer Center did not comply with vendor guidelines and generally accepted industry practices in administering and implementing operating system 4

and access security software controls on its mainframe computer. Some of these deficiencies included: - Improper controls over critical operating system components, such as system start-up parameters and options and the authorized program facility. - Unrestricted access to and use of powerful system programs, such as the Customer Information Control System transaction utility programs. - Inadequate controls over system programmer access to terminals capable of acting as the master console terminal. - Inadequate software change control procedures over modifications made to the Customer Information Control System environment. - Improper installation of and controls over security access control software. - Improper controls over programmers and separated/termninated employees. Telecommunications Security The House s September 3 report identified one weakness and made two recommendations regarding the Computer Center s telecommunications security. The report stated that unrestricted user access through the Internet posed integrity and security risks to internal systems such as the mainframe computer and certain local area networks. Local Area Network Protection The House s September 3 report identified 10 weaknesses and made 17 recommendations regarding the Computer Center s local area network protection. The report stated that the Geological Survey did not provide proper controls in administering and managing its local area networks, which are connected to the mainframe computer that processes Federal Financial System data. Problems related to the local area networks included the following: - Inconsistent management and administration practices between three local area network servers. - Improper controls over passwords on and general access to a particular local area network. - Inadequate controls over powerful access privileges (supervisor privileges) to the local area network. 5

- Lack of procedures for monitoring local area network access and usage. - Incomplete and untested contingency, data backup, and data recovery in case of disaster plans to ensure the timely recovery and resumption of operations. - Inadequate physical security controls to safeguard key network computer hardware. - Inconsistent requirements for installing and using virus detection software on fileservers and workstations. Contingency Planning, Backup, and Disaster Recovery The House s September 3 report identified three weaknesses and made three recommendations regarding the Computer Center s contingency planning, backup, and disaster recovery procedures. The report stated that the Computer Center s contingency planning, data backup, and disaster-recovery procedures for the Federal Financial System mainframe computer were inadequate and did not allow for complete business resumption. Corrective Actions The Geological Survey and House management worked collaboratively with our office, the House s Office of Inspector General, and the contracted auditing firm to resolve key issues. As a result of this collaborative effort, the Geological Survey was able to take immediate corrective actions to resolve the deficiencies that could have adversely impacted the integrity and security of the processing of the House s financial data on the Federal Financial System. Geological Survey management also initiated efforts to correct the other deficiencies identified, which were important to the overall integrity and security of data center operations. In its report, the House s Office of Inspector General stated that it believed that the actions taken and the continuing commitment demonstrated by Geological Survey management to resolve the deficiencies identified has greatly reduced the risk to the Computer Center s processing environment. U.S. Geological Survey Response and Office of Inspector General Reply The Director, U.S. Geological Survey, responded to the House s draft report on August 20, 1996. Based on this response, we considered 13 recommendations implemented and 58 recommendations resolved but not implemented. The unimplemented recommendations will be referred to the Assistant Secretary for Policy, Management and Budget for tracking of implementation (see the Appendix). The legislation, as amended, creating the Office of Inspector General requires semiannual reporting to the Congress on all audit reports issued, actions taken to implement audit 6

recommendations, and identification of each significant recommendation on which corrective action has not been taken. We appreciate the assistance of U.S. Geological Survey personnel in the conduct of this audit.

STATUS OF AUDIT REPORT RECOMMENDATIONS 1 APPENDIX Finding/Recommendation Reference Status Action Required 3E, 7B, 10A, 10B, Implemented. No further action is 13A, 15A, 15B, 18,22, required. 23,25,41, and 42 1A, lb, 2, 3A, 3B, 3C, 3D, 4, 5A, 5B, 5C, 6A, 6B, 8A, 8B, 9A, 9B, 9C, 11A, 11B, 11C, 12, 13B, 14A, 14B, 14C, 16 17, 19, 20A, 20B, 20C, 21 24A, 24B, 26,27,28, 29A, 29B, 30A, 30B, 31A, 31B, 32A, 32B, 33A, 33B, 33C, 33D, 34,35, 36A, 36B, 37,38 39, and 40 Resolved; not implemented. No further response to the Department of the Interior Office of Inspector General is required. The recommendations will be referred to the Assistant Secretary for Policy, Management and Budget for tracking of implementation. l From audit report Stronger Controls Needed Over The Data Processing Environment At The U.S. Geological Survey, Reston General Purpose Computer Center, dated September 3, 1996. 8

SHOULD BE REPORTED TO THE OFFICE OF INSPECTOR GENERAL BY: Sending written documents to: Calling: Within the Continental United States U.S. Departmnent of the Interior Our 24-hour Office of Inspector General Telephone HOTLINE 1550 WiIson Boulevard 1-800-424-5081 or Suite 402 (703) 235-9399 Arlington. Virginia 22210 TDD for hearing impaired (703) 235-9403 or 1-800-354-0996 Outside the Continental United States U.S. Department of the Interior (703) 235-9221 Office of Inspector General Eastern Division - Investigations 1550 Wilson Boulevard Suite 410 Arlington, Virginia 22209 U.S. Department of the Interior (700) 550-7279 or Office of Inspector General COMM 9-011-671-472-7279 North Pacific Region 238 Archbishop F.C. Flores Street Suite 807, PDN Building Agana, Guam 96910

HOTLINE

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information